Vendors are a common element in today’s business environment. Outsourcing services and processes to vendors provides flexibility, convenience and cost savings. However, these outsourcing arrangements don’t come without increased risk. Data breaches stemming from third parties have been increasing year over year. When identities are stolen or sensitive information is made public, your customers won’t care that is was the vendor’s fault. Regulators and examiners alike are also taking note, and it can be seen in recent legislation and guidance related to managing third parties. According to the Federal Deposit and Insurance Corporation’s (FDIC) Guidance For Managing Third-Party Risk, “An institution's board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.” While services can be outsourced, the risk cannot.
Why is this important? Many organizations continue to outsource critical activities and fail to recognize the risks that arise from those relationships. Whether it is outsourcing certain information technology operations, sensitive data processing and storage, or simple marketing, legal or HR services, sensitive/proprietary information is often shared with third parties without first assessing the security controls within that organization. To that end, third-party risk management is critical when it comes to managing risk across the enterprise. To achieve assurance over activities performed by third parties, organizations should implement sound third-party risk management practices.
When it comes to guidance, there are plenty of great options available. There are many compliance-based guides that may be applicable based on the industry you are in. For example, with our clients in the banking world, the FDIC guidance mentioned earlier comes to mind. At Schneider Downs we are a member firm of the Shared Assessments Program, which provides widely adopted vendor risk management tools and resources for enterprise organizations to evaluate and measure vendor risk. These tools are industry agnostic and provide third-party risk management best practices regardless of the industry you may be in.
No matter what framework or guidance you plan to adopt, some of the key recommendations remain.
Key Recommendations for Third-Party Risk Management
- Planning - Develop a plan to manage third-party risk to determine the risk scope, outsourced services, and data in use to control the risks. Inventory your vendors and the type of data that they hold.
- Due diligence and third-party selection - Conduct reviews of third parties prior to signing contracts, and annually thereafter. To assist with this review, obtain and review independent reports, such as SOC 1 and SOC 2 reports, to ensure that third parties are complying with industry standards. In absence of these reports, use an industry-adopted best practice such as the Standard Information Gathering (SIG) questionnaire.
- Contract negotiation - Develop contracts with third parties that clearly outline the responsibilities of each party. Contracts should be reviewed regularly, as part of the contract, to ensure that they address current third-party risks. Contracts should also include a “right to audit” clause.
- Ongoing monitoring - Perform IT and operational assessments of third parties’ internal controls on a regular basis to ensure that third parties have appropriate controls in place for protecting sensitive/proprietary information. Continuous review is necessary to understand the most current level of risk for each vendor.
- Termination - Develop contingency plans for transferring activities to another third-party, bringing the activity in-house, or eliminating the activity (and associated data) altogether.
In addition to the aforementioned activities, organizations should assign responsibilities for third-party management to appropriate members of the organization with sufficient knowledge of the enterprise risk management process and nature of third-party relationships. Standardized documentation and reporting procedures should be implemented to ensure that third-party management activities are appropriately being performed and reported on. Lastly, organizations should perform independent reviews of their third-party management programs to ensure that third-party risk management activities are appropriately aligned with their enterprise-wide risk program, that they meet industry recommended best practices and that they effectively manage the risk posed by third parties.